Configuring Dynamic Host Configuration Protocol on the Cisco
Security Appliance
The Cisco Security Appliance can be configured as either of the following:
■ DHCP server
■ DHCP client
Using the Cisco Security Appliance DHCP Server
The DHCP server is usually used in, but not limited to, SOHO environments. The address
pool of a Cisco Security Appliance DHCP server must be within the same subnet of the
Security Appliance interface that is enabled, and you must specify the associated Security
Appliance interface with if- name. In other words, the client must be physically connected to
the subnet of a Security Appliance interface. The size of the pool is limited to 32 addresses
with a 10-user license and 128 addresses with a 50-user license on the PIX 501. The
unlimited user license on the PIX 501 and all other Security Appliance platforms supports
256 addresses. To configure DHCP on a Security Appliance, use the dhcpd command. The
following is the syntax for the dhcpd command:
dhcpd address ip1[-ip2] if-name
dhcpd auto-config [outside]
dhcpd dns dns1 [dns2]
dhcpd wins wins1 [wins2]
dhcpd lease lease-length
dhcpd domain domain-name
dhcpd enable if-name
dhcpd option 66 ascii {server-name | server-ip-str}
dhcpd option 150 ip server-ip1 [ server-ip2]
dhcpd ping-timeout timeout
debug dhcpd event
debug dhcpd packet
Table 6-12 describes the different dhcpd command parameters.
dhcpd Command Parameters
Parameter Description
address ip1- [ip2] Specifies the IP pool address range.
auto-config Enables the Security Appliance to configure DNS, Windows Internet
Naming Service (WINS), and domain name values automatically
from the DHCP client to the DHCP server. If the user also specifies
DNS, WINS, and domain parameters, the command-line interface
(CLI) parameters overwrite the auto-config parameters.
binding Specifies the binding information for a given server IP address and its
associated client hardware address and lease length.
code Specifies the DHCP option code, either 66 or 150.
dns dns1 [dns2] Specifies the IP addresses of the DNS servers for the DHCP client.
domain domain-name Specifies the DNS domain name; for example, cspfa2.com.
if-name Specifies the interface on which to enable the DHCP server.
lease lease-length Specifies the length of the lease, in seconds, granted to the DHCP
client from the DHCP server. The lease indicates how long the client
can use the assigned IP address. The default is 3600 seconds. The
minimum lease length is 300 seconds, and the maximum lease length
is 2,147,483,647 seconds.
option 150 Specifies the Trivial File Transfer Protocol (TFTP) server IP
address(es) designated for Cisco IP Phones in dotted-decimal format.
DHCP option 150 is site-specific; it gives the IP addresses of a list of
TFTP servers.
option 66 Specifies the TFTP server IP address designated for Cisco IP Phones
and gives the IP address or the host name of a single TFTP server.
outside Specifies the outside interface of the firewall.
ping-timeout Specifies the timeout value of a ping, in milliseconds, before an IP
address is assigned to a DHCP client.
server-ip(1,2) Specifies the IP address(es) of a TFTP server.
rameter Description
server-ip-str Specifies the TFTP server in dotted-decimal format, such as 1.1.1.1,
which is treated as a character string by the Security Appliance
DHCP server.
server-name Specifies an American Standard Code for Information Interchange
(ASCII) character string representing the TFTP server.
statistics Provides statistical information, such as address pool, number of
bindings, malformed messages, sent messages, and received
messages.
wins wins1 [wins2] Specifies the IP addresses of the Microsoft NetBIOS name servers
(Windows Internet Naming Service servers). The second server
address is optional.
Table 6-12
In addition to supporting a DHCP client and DHCP server configuration, the Security
Appliance also supports a DHCP relay configuration. The DHCP relay configuration enables
the Security Appliance to assist in dynamic configuration of IP device hosts on any Ethernet
interface. When the Cisco Security Appliance receives a request from a host on an interface,
it forwards the request to a user-configured DHCP server on another interface. The DHCP
relay agent is a feature that is provided by security software version 6.3.
A Security Appliance allows any number of integrated DHCP servers to be configured, and
on any interface. The DHCP client can be configured only on the outside interface, and the
DHCP relay agent can be configured on any interface. The DHCP server and DHCP relay
agent cannot be configured concurrently on the same Security Appliance, but the DHCP
client and DHCP relay agent can be configured concurrently.
As with all other DHCP servers, DNS, Windows Internet Naming Service (WINS), IP address
lease time, and domain information on the Security Appliance can be configured. The
following six steps are required to enable the DHCP server feature on the Security Appliance:
Step 1 Enable the DHCP daemon on the Cisco Security Appliance to listen to
DHCP requests from clients:
pix(config)#dhcpd enable inside
Step 2 Specify the IP address range that the Security Appliance DHCP server
assigns:
pix(config)#dhcpd address 10.10.10.15-10.10.10.100 inside
Step 3 Specify the lease length to grant to the client (the default is 3600
seconds):
pix(config)#dhcpd lease 2700
Configuring Dynamic Host Configuration Protocol on the Cisco Security Appliance 159
Step 4 Specify a DNS server (optional):
pix(config)#dhcpd dns 192.168.10.68 192.168.10.73
Step 5 Specify a WINS server (optional):
pix(config)#dhcpd wins 192.168.10.66
Step 6 Configure the domain name the client will use (optional):
pix(config)#dhcpd domain axum.com